<HTML>
<!-- --------------------------------------------------------
- deFusinator - JavaScript de-obfuscator plugin for Chrome
- by Tamas Rudnai, all rights reserved
------------------------------------------------------------ -->

<HEAD>
    <TITLE>Howto deFusination</TITLE>
    <STYLE>
    h4 {
      margin-bottom: 0px;
      padding-bottom: 0px;
    }
    </STYLE>
</HEAD>

<BODY>
<H1>Howto deFusinator</H1>
<H4><I>deFusinator is a JavaScript de-obfuscator plugin for Chrome browser.</I></H4>
<I>by Tamas Rudnai (c) 2011 -- tamas.rudnai@gmail.com</I>
<H3>Howto</H3>
<P> 
A good start is to load the page ;-) You can load it directly from the internet or fom the file using the normal browser features. Just type the URL to the URL bar...
</P>

<P><I>
<B><U>Security Precautions:</U></B> If the page contains any malicious code, <B>it can infect your computer!</B> Use a virtual machine such as VmWare or VirtualBox to prevent that. After all it is your responsibility to play with malicious code and the author does not liable for any kinf of damage caused on your computer or loss of data.
</I></P>

<P>
<B>iFrames: </B>
Now that the page has been loaded, try to play with the menu. Click on the 'df' icon and select 'iFrame'. You should see any iframes on the page, even if the iframe was dynamically generated by one of the JavaScript code in the page.
</P>

<P>
<B>Scripts: </B>
With 'Script All' you should see any scripts on the page, even if the script was dynamically generated by one of the static JavaScript code in the page.
</P>
<P>
Now click on a script with 'src={URL}' in it. It means that the content of the script is located somewhere else and is included at that point to the web page. A small menu offers you to analyse the target URL by several online services, such as ACE Insight, myWOT and Robtex.
</P>
<P>
Now click on a script with with a real content. It means that the content of the script was included on the page (or was generated later on directly). A small menu offers you to analyse the script. 'Decode' means it does NOT run the script, but tries to decode the numbers often used to hide the real content. You can also try 'Behaviour Analysis', which will run the script and analyse what does it do during the runtime. This includes 'eval' and unescape' functions as well as 'document.write', 'createElement' and appendChild. You should see the activity on the result pop-up window so you can see if that particular script creates any iframes or scripts or anything else that is suspicious.
</P>

<B>Behaviour Analysis: </B>
It is very similar to the one used in the induvidual script analysis, except it runs every single JavaScripts on the page so the results can be very extensive.
</P>

</BODY>
</HTML>
